z/OS Cryptographic Services ICSF Application Programmer's Guide
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


Reason Codes for Return Code 8 (8)

z/OS Cryptographic Services ICSF Application Programmer's Guide
SA22-7522-16

Table 329 lists reason codes returned from callable services that give return code 8.

Most of these reason codes indicate that the call to the service was unsuccessful. No cryptographic processing took place. Therefore, no output parameters were filled. Exceptions to this are noted in the descriptions.

Table 329. Reason Codes for Return Code 8 (8)
Reason Code Hex (Decimal) Description
00C (12) A key identifier was passed to a service or token. It is checked in detail to ensure that it is a valid token, and that the fields within it are valid values. There is a token validation value (TVV) in the token, which is a non-cryptographic value. This value was again computed from the rest of the token, and compared to the stored TVV. If these two values are not the same, this reason code is returned.

User action: The contents of the token have been altered because it was created by ICSF or TSS. Review your program to see how this could have been caused.

016 (22) The ID number in the request field is not valid. The PAN data is incorrect for VISA CVV.
017 (23) Offset length not correct for data to be inserted.
018 (24) A key identifier was passed to a service. The master key verification pattern in the token shows that the key was created with a master key that is neither the current master key nor the old master key. Therefore, it cannot be reenciphered to the current master key.

User action: Re-import the key from its importable form (if you have it in this form), or repeat the process you used to create the operational key form. If you cannot do one of these, you cannot repeat any previous cryptographic process that you performed with this token.

REASONCODES: ICSF 2714 (10004)

019 (025) A length parameter has an incorrect value. The value in the length parameter could have been zero (when a positive value was required) or a negative value. If the supplied value was positive, it could have been larger than your installation’s defined maximum, or for MDC generation with no padding, it could have been less than 16 or not an even multiple of 8.

User action: Check the length you specified. If necessary, check your installation’s maximum length with your ICSF administrator. Correct the error.

01D (29) A key identifier was passed to a service or token. It is checked in detail to ensure that it is a valid token, and that the fields within it are valid values. There is a token validation value (TVV) in the token, which is a non-cryptographic value. This value was again computed from the rest of the token, and compared to the stored TVV. If these two values are not the same, this reason code is returned.

User action: The contents of the token have been altered because it was created by ICSF or TSS. Review your program to see how this could have been caused.

REASONCODES: ICSF 2710 (10000)

01E (30) A key label was supplied for a key identifier parameter. This label is the label of a key in the in-storage CKDS or the PKDS. Either the key could not be found, or a key record with that label and the specific type required by the ICSF callable service could not be found. For a retained key label, this error code is also returned if the key is not found in the PCICC, PCIXCC, CEX2C, or CEX3C specified in the PKDS record.

User action: Check with your administrator if you believe that this key should be in the in-storage CKDS or the PKDS. The administrator may be able to bring it into storage. If this key cannot be in storage, use a different label.

REASONCODES: ICSF 271C (10012)

01F (31) The control vector did not specify a DATA key.

REASONCODES: ICSF 272C (10028)

020 (32) You called the CKDS key record create callable service, but the key_label parameter syntax was incorrect.

User action: Correct key_label syntax.

REASONCODES: ICSF 3EA0 (16032)

021 (33) The rule_array parameter contents or a parameter value is not correct.

User action: Refer to the rule_array parameter described in this publication under the appropriate callable service for the correct value.

REASONCODES: ICSF 7E0 (2016)

022 (34) A rule_array keyword combination is not valid.

REASONCODES: ICSF 7E0 (2016)

023 (35) The rule_array_count parameter contains a number that is not valid.

User action: Refer to the rule_array_count parameter described in this publication under the appropriate callable service for the correct value.

REASONCODES: ICSF 7DC (2012)

027 (39) A control vector violation occurred.

REASONCODES: This reason code also corresponds to these ICSF reason codes: 272C (10028), 2730 (10032), 2734 (10036), 2744 (10052), 2768 (10088), 278C (10124), 3E90 (16016), 2724 (10020).

028 (40) The service code does not contain numerical data.

REASONCODES: ICSF BE0 (3040)

029 (41) The key_form parameter is neither IM nor OP. Most constants, these included, can be supplied in lower or uppercase. Note that this parameter is 4 bytes long, so the value IM or OP is not valid. They must be padded on the right with blanks.

User action: Review the value provided and change it to IM or OP, as required.

02A (42) The expiration date is not numeric (X'F0' through X'F9'). The parameter must be character representations of numerics or hexadecimal data.

User action: Review the numeric parameters or fields required in the service that you called and change to the format and values required.

REASONCODES: ICSF BE0 (3040)

02B (43) The value specified for the key_length parameter of the key generate callable service is not valid.

User action: Review the value provided and change it as appropriate.

REASONCODES: See also the ICSF reason code 80C (2060) or 2710 (10000) for additional information.

02C (44) The CKDS key record create callable service requires that the key created not already exist in the CKDS. A key of the same label was found.

User action: Make sure the application specifies the correct label. If the label is correct, contact your ICSF security administrator or system programmer.

02D (45) An input character is not in the code table.

User action: Correct the code table or the source text.

02F (47) A source key token is unusable because it contains data that is not valid or undefined.

REASONCODES: This reason code also corresponds to these ICSF reason codes: 83C (2108), 2754 (10068), 2758 (10072), 275C (10076), 2AFC (11004), 2B04 (11012), 2B08 (11016), 2B10 (11024). Please see those reason codes for additional information.

030 (48) One or more keys has a master key verification pattern that is not valid.

This reason code also corresponds to these ICSF reason codes: 2714 (10004) and 2B0C (11020). Please see those reason codes for additional information.

031 (49) Key identifiers contain a version number. The version number in a supplied key identifier (internal or external) is inconsistent with one or more fields in the key identifier, making the key identifier unusable.

User action: Use a token containing the required version number.

REASONCODES: ICSF 2738 (10040)

033 (51) The encipher and decipher callable services sometime require text (plaintext or ciphertext) to have a length that is an exact multiple of 8 bytes. Padding schemes always create ciphertext with a length that is an exact multiple of 8. If you want to decipher ciphertext that was produced by a padding scheme, and the text length is not an exact multiple of 8, then an error has occurred. The CBC mode of enciphering requires a text length that is an exact multiple of 8.

The ciphertext translate callable service cannot process ciphertext whose length is not an exact multiple of 8.

The value that the text_length parameter specifies is not a multiple of the cryptographic algorithm block length.

User action: Review the requirements of the service you are using. Either adjust the text you are processing or use another process rule.

038 (56) The master key verification pattern in the OCV is not valid.
03D (61) The keyword supplied with the key_type parameter is not valid.

REASONCODES: This reason code also corresponds to these ICSF reason codes: 2720 (10016), 2740 (10048), 274C (10060). Please see those reason codes for additional information.

03E (62) The source key was not found.

REASONCODES: ICSF 271C (10012)

03F (63) This check is based on the first byte in the key identifier parameter. The key identifier provided is either an internal token, where an external or null token was required; or an external or null token, where an internal token was required. The token provided may be none of these, and, therefore, the parameter is not a key identifier at all. Another cause is specifying a key_type of IMP-PKA for a key in importable form.

User action: Check the type of key identifier required and review what you have provided. Also check that your parameters are in the required sequence.

REASONCODES: ICSF 7F8 (2040)

040 (64) The supplied private key can be used only for digital signature. Key management services are disallowed.

User action: Supply a key with key management enabled.

OR

This service requires an RSA private key that is for signature use. The specified key may be used for key management purposes only.

User action: Re-invoke the service with a supported private key.

OR

This service requires an RSA private key that is translatable. The specified key may not be used in the PKA Key Translate callable service.

User action: Re-invoke the service with a supported private key. To make a key translatable, XLATE-OK must be turned on.

041 (65) The RSA public or private key specified a modulus length that is incorrect for this service.

User action: Re-invoke the service with an RSA key with the proper modulus length.

`

REASONCODES: ICSF 2B18 (11032) and 2B58 (11096)

042 (66) The recovered encryption block was not a valid PKCS-1.2 or zero-pad format. (The format is verified according to the recovery method specified in the rule-array.) If the recovery method specified was PKCS-1.2, refer to PKCS-1.2 for the possible error in parsing the encryption block.

User action: Ensure that the parameters passed to CSNDSYI or CSNFSYI are correct. Possible causes for this error are incorrect values for the RSA private key or incorrect values in the RSA_enciphered_key parameter, which must be formatted according to PKCS-1.2 or zero-pad rules when created.

REASONCODES: ICSF 2B20 (11040)

043 (67) DES or RSA encryption failed.
044 (68) DES or RSA decryption failed.
046 (70) Identifier tag for optional block is invalid: conflicts with IBM reserved tag, is a duplicate to a tag already found, is bad in combination with a tag already found when parsing a section of optional blocks, or is otherwise invalid.

User action: Check the TR-31 key block header for correctness.

048 (72) The value specified for length parameter for a key token, key, or text field is not valid.

User action: Correct the appropriate length field parameter.

REASONCODES: This reason code also corresponds to these ICSF reason codes: 2AF8 (11000) and 2B14 (11028). Please see those reason codes for additional information.

05A (90) Access is denied for this request. This is due to an access control point in the ICSF role either being disabled or an access control point being enabled that restricts the use of a parameter such as a rule array keyword.

User action: Check the reference information for the callable service to determine which access control points are involved in the request. Contact the ICSF administrator to determine if the access control points are in the correct state. The access control points can be enabled/disabled using the TKE workstation.

064 (100) A request was made to the Clear PIN generate or Encrypted PIN verify callable service, and the PIN_length parameter has a value outside the valid range. The valid range is from 4 to 16, inclusive.

User action: Correct the value in the PIN_length parameter to be within the valid range from 4 to 16.

REASONCODES: ICSF BBC (3004)

065 (101) A request was made to the Clear PIN generate callable service, and the PIN_check_length parameter has a value outside the valid range. The valid range is from 4 to 16, inclusive.

User action: Correct the value in the PIN_check_length parameter to be within the valid range from 4 to 16.

REASONCODES: ICSF BC0 (3008)

066 (102) The value of the decimalization table is not valid.

REASONCODES: ICSF BE0 (3040)

067 (103) The value of the validation date is not valid.

REASONCODES: ICSF BE0 (3040)

068 (104) The value of the customer-selected PIN is not valid or the PIN length does not match the value specified.

REASONCODES: ICSF BE0 (3040)

069 (105) A request was made to the Clear PIN generate callable service, and the PIN_check_length parameter has a value outside the valid range. The valid range is from 4 to 16, inclusive.

User action: Correct the value in the PIN_check_length parameter to be within the valid range from 4 to 16.

REASONCODES: ICSF BE0 (3040)

06A (106) A request was made to the Encrypted PIN Translate or the Encrypted PIN verify callable service, and the PIN block value in the input_PIN_profile or output_PIN_profile parameter has a value that is not valid.

User action: Correct the PIN block value.

06B (107) A request was made to the Encrypted PIN Translate callable service and the format control value in the input_PIN_profile or output_PIN_profile parameter has a value that is not valid. The valid values are NONE or PBVC.

User action: Correct the format control value to either NONE or PBVC.

06C (108) The value of the PAD data is not valid.

REASONCODES: ICSF B08 (3016)

06D (109) The extraction method keyword is not valid.
06E (110) The value of the PAD data is not numeric character date.

REASONCODES: ICSF BE0 (3040)

06F (111) A request was made to the Encrypted PIN Translate callable service. The sequence_number parameter was required, but was not the integer value 99999.

User action: Specify the integer value 99999.

074 (116) The supplied PIN value is incorrect.

User action: Correct the PIN value.

REASONCODES: ICSF BBC (3004)

079 (121) The source_key_identifier or inbound_key_identifier you supplied is not a valid string.

User action: In an ANSI X9.17 service, check that you specified a valid ASCII string for the source_key_identifier or inbound_key_identifier parameter. In the PKA key generate service, an invalid exponent or modulus length was specified.

07A (122) The outbound_KEK_count or inbound_KEK_count you supplied is not a valid ASCII hexadecimal string.

User action: Check that you specified a valid ASCII hexadecimal string for the outbound_KEK_count or inbound_KEK_count parameter.

081 (129) A Required Rule Array keyword was not specified.

User action: Refer to the rule_array parameter described in this publication under the appropriate callable service for the correct value.

09A (154) This check is based on the first byte in the key identifier parameter. The key identifier provided is either an internal token, where an external or null token was required; or an external or null token, where an internal token was required. The token provided may be none of these, and, therefore, the parameter is not a key identifier at all. Another cause is specifying a key_type of IMP-PKA for a key in importable form.

User action: Check the type of key identifier required and review what you have provided. Also check that your parameters are in the required sequence.

REASONCODES: ICSF 7F8 (2040)

09B (155) The value that the generated_key_identifier parameter specifies is not valid,or it is not consistent with the value that the key_form parameter specifies.
09C (156) A keyword is not valid with the specified parameters.

REASONCODES: ICSF 2790 (10128)

09D (157) The rule_array parameter contents are incorrect.

User action: Refer to the rule_array parameter described in this publication under the appropriate callable service for the correct value.

REASONCODES: ICSF 7E0 (2016)

09F (159) A parameter requires Rule Array keyword that is not specified.

User action: Refer to the rule_array parameter described in this publication under the appropriate callable service for the correct value.

0A0 (160) The key_type and the key_length are not consistent.

User action: Review the key_type parameter provided and match it with the key_length parameter.

A2 (162)

A request was made to the Remote Key Export callable service, and the certificate_parms parameter contains incorrect values. One or more of the offsets and/or lengths for the modulus, public exponent, and/or digital signature would indicate overlap between two or all three of the fields within the certificate parameter.

User Action: Correct the values in the certificate_parms parameter to indicate the actual offsets and lengths of the modulus, public exponent, and digital signature within the certificate parameter.

A4 (164) Two parameters (perhaps the plaintext and ciphertext areas, or text_in and text_out areas) overlap each other. That is, some part of these two areas occupy the same address in memory. This condition cannot be processed.

User action: Determine which two areas are responsible, and redefine their positions in memory.

0A5 (165) The contents of a chaining vector passed to a callable service are not valid. If you called the MAC generation callable service, or the MDC generation callable service with a MIDDLE or LAST segmenting rule, the count field has a number that is not valid. If you called the MAC verification callable service, then this will have been a MIDDLE or LAST segmenting rule.

User action: Check to ensure that the chaining vector is not modified by your program. The chaining vector returned by ICSF should only be used to process one message set, and not intermixed between alternating message sets. This means that if you receive and process two or more independent message streams, each should have its own chaining vector. Similarly, each message stream should have its own key identifier.

If you use the same chaining vector and key identifier for alternating message streams, you will not get the correct processing performed.

REASONCODES: ICSF 7F4 (2036)

0B4 (180) A null key token was passed in the key identifier parameter. When the key type is TOKEN, a valid token is required.

User action: Supply a valid token to the key identifier parameter.

0B5 (181) This check is based on the first byte in the key identifier parameter. The key identifier provided is either an internal token, where an external or null token was required; or an external or null token, where an internal token was required. The token provided may be none of these, and, therefore, the parameter is not a key identifier at all. Another cause is specifying a key_type of IMP-PKA for a key in importable form.

User action: Check the type of key identifier required and review what you have provided. Also check that your parameters are in the required sequence.

This reason code also corresponds to these ICSF reason codes: 7F8 (2040), 2B24 (11044) and 3E98 (16024). Please see those reason codes for additional information.

0B7 (183) A cross-check of the control vector the key type implies has shown that it does not correspond with the control vector present in the supplied internal key identifier.

User action: Change either the key type or key identifier.

REASONCODES: ICSF 273C (10044)

0B8 (184) An input pointer is null.
0CC (204) A memory allocation failed.
14F (335) The requested function is not implemented on the coprocessor.
154 (340) One of the input control vectors has odd parity.
157 (343) Either the data block or the buffer for the block is too small.
159 (345) Insufficient storage space exists for the data in the data block buffer.
15A (346) The requested command is not valid in the current state of the cryptographic hardware component.
176 (374) Less data was supplied than expected or less data exists than was requested.

REASONCODES: ICSF 7D4 (2004) and ICSF 7E0 (2016)

181 (385) The cryptographic hardware component reported that the data passed as part of the command is not valid for that command.
197 (407) A PIN block consistency check error occurred.

REASONCODES: ICSF BC8 (3016)

1B9 (441) One or more input parameters indicates the key to be processed should be partial, but the key is not partial according to the CV or other control bits of the key.

User action: Check that the partial key option of any input parameters is consistent with the partial key setting of any key tokens being used.

25D (605) The number of output bytes is greater than the number that is permitted.
2BF (703) A new master key value was found to be one of the weak DES keys.
2C0 (704) The new master key would have the same master key verification pattern as the current master key.
2C1 (705) The same key-encrypting key was specified for both exporter keys.
2C2 (706) While deciphering ciphertext that had been created using a padding technique, it was found that the last byte of the plaintext did not contain a valid count of pad characters.

Note that some cryptographic processing has taken place, and the clear_text parameter may contain some or all of the deciphered text.

User action: The text_length parameter was not reduced. Therefore, it contains the length of the base message, plus the length of the padding bytes and the count byte. Review how the message was padded prior to being enciphered. The count byte that is not valid was created prior to the message’s encipherment.

You may need to check whether the ciphertext was not created using a padding scheme. Otherwise, check with the creator of the ciphertext on the method used to create it. You could also look at the plaintext to review the padding scheme used, if any.

REASONCODES: ICSF 7EC (2028)

2C3 (707) The master key registers are not in the state required for the requested function.

User action: Contact your ICSF administrator.

2CA (714) A reserved parameter was not a null pointer or an expected value.

REASONCODES: ICSF 844 (2116)

2CB (715) You supplied a pad_character that is not valid for a Transaction Security System compatibility parameter for which ICSF supports only one value; or, you supplied a KEY keyword and a non-zero master_key_version_number in the Key Token Build service; or, you supplied a non-zero regeneration data length for a DSS key in the PKA Generate service.

User action: Check that you specified the valid value for the TSS compatibility parameter.

REASONCODES: ICSF 834 (2100)

2CF (719) The RSA-OAEP block did not verify when it decomposed. The block type is incorrect (must be X'03').

User action: Recreate the RSA-OAEP block.

REASONCODES: ICSF 2B38 (11064)

2D0 (720) The RSA-OAEP block did not verify when it decomposed. The random number I is not correct (must be non-zero with the high-order bit equal to zero).

User action: Recreate the RSA-OAEP block.

REASONCODES: ICSF 2B40 (11072)

2D1 (721) The RSA-OAEP block did not verify when it decomposed. The verification code is not correct (must be all zeros).

User action: Recreate the RSA-OAEP block.

REASONCODES: ICSF 2BC3 (11068)

2F8 (760) The RSA public or private key specified a modulus length that is incorrect for this service.

User action: Re-invoke the service with an RSA key with the proper modulus length.

REASONCODES: ICSF 2B48 (11080)

302 (770) A reserved field in a parameter, probably a key identifier, has a value other than zero.

User action: Key identifiers should not be changed by application programs for other uses. Review any processing you are performing on key identifiers and leave the reserved fields in them at zero.

This reason code also corresponds to these ICSF reason codes: 7E8 (2024) and 2B00 (11008). Please see those reason codes for additional information.

REASONCODES: ICSF 2B00 (11008)

30F (783) The command is not permitted by the Function Control Vector value.

REASONCODES: ICSF Return code 12, reason code 2B0C (11020)

401 (1025) Registered public key or retained private key name already exists.
402 (1026) Registered public key or retained private key name does not exist.
405 (1029) There is an error in the Environment Identification data.
40B (1035) The signature does not match the certificate signature during an RKX call.

User Action: Check that the key used to check the signatures is the correct.

41A (1050) A KEK RSA-enciphered at this node (EID) cannot be imported at this same node.
41C (1052) Token identifier of the trusted block's header section is in the range 0x20 and 0xFF.

User Action: Check the token identifier of the trusted block.

41D (1053) The Active flag in the trusted block's trusted block section 0x14 is not disabled.

User Action: Use the trusted block create callable service to create an inactive/external trusted block.

41E (1054) Token identifier of the trusted block's header section is not 0x1E (external).

User Action: Use the trusted block create callable service to create an inactive/external trusted block.

41F (1055) The Active flag of the trusted block's trusted block section 0x14 is not enabled.

User Action: Use the trusted block create callable service to create an active/external trusted block.

420 (1056) Token identifier of the trusted block's header section is not 0x1F (internal).

User Action: Use the PKA public key import callable service to import the trusted block.

421 (1057) Trusted block rule section 0x12 Rule ID does not match input parameter rule ID.

User Action: Verify the trusted block used has the rule section specified.

422 (1058) Trusted block contains a value that is too small/too large.
423 (1059) A trusted block parameter that must have a value of zero (or a grouping of bits set to zero) is invalid.
424 (1060) Trusted block public key section failed consistency checking.
425 (1061) Trusted block contains extraneous sections or subsections (TLVs).

User Action: Check the trusted block for undefined sections of subsections.

426 (1062) Trusted block contains missing sections or subsections (TLVs).

User Action: Check the trusted block for required sections and subsections applicable to the callable service invoked.

427 (1063) Trusted block contains duplicate sections or subsections (TLVs).

User Action: Check the trusted block's sections and subsections for duplicates. Multiple rule sections are allowed.

428 (1064) Trusted block expiration date has expired (as compared to the 4764 clock).

User Action: Validate the expiration date in the trusted block's trusted information section's Activation and Expiration Date TLV Object.

429 (1065) Trusted block expiration date is at a date prior to the activation date.

User Action: Validate the expiration date in the trusted block's trusted information section's Activation and Expiration Date TLV Object.

42A (1066) Trusted Block Public Key Modulus bit length is not consistent with the byte length. The bit length must be less than or equal to byte length * 8 and greater than (byte length - 1) * 8.
42B (1067) Trusted block Public Key Modulus Length in bits exceeds the maximum allowed bit length as defined by the Function Control Vector.
42C (1068) One or more trusted block sections or TLV Objects contained data which is invalid (an example would be invalid label data in label section 0x13).
42D (1069) Trusted block verification was attempted by a function other than CSNDDSV, CSNDKTC, CSNDKPI, CSNDRKX, or CSNDTBC.
42E (1070) Trusted block rule ID contained within a Rule section contains invalid characters.
42F (1071) The source key's length or CV does not match what is expected by the rule section in the trusted block that was selected by the rule ID input parameter.
430 (1072) The activation data is not valid.

User Action: Validate the activation data in the trusted block's trusted information section's Activation and Expiration Date TLV Object.

431 (1073) The source-key label does not match the template in the export key DES token parameters TLV object of the selected trusted block rule section.
432 (1074) The control-vector value specified in the common export key parameters TLV object in the selected rule section of the trusted block contains a control vector that is not valid.
433 (1075) The source-key label template in the export key DES token parameters TLV object in the selected rule section of the trusted block contains a label template that is not valid.
7D1 (2001) TKE: DH generator is greater than the modulus.
7D2 (2002) TKE: DH registers are not in a valid state for the requested operation.
7D3 (2003) TKE: TSN does not match TSN in pending change buffer.
7D4 (2004) A length parameter has an incorrect value. The value in the length parameter could have been zero (when a positive value was required) or a negative value. If the supplied value was positive, it could have been larger than your installation’s defined maximum, or for MDC generation with no padding, it could have been less than 16 or not an even multiple of 8.

User action: Check the length you specified. If necessary, check your installation’s maximum length with your ICSF administrator. Correct the error.

REASONCODES: TSS 019 (025)

7D5 (2005) TKE: PCB data exceeds maximum data length.
7D8 (2008) Two parameters (perhaps the plaintext and ciphertext areas, or text_in and text_out areas) overlap each other. That is, some part of these two areas occupy the same address in memory. This condition cannot be processed.

User action: Determine which two areas are responsible, and redefine their positions in memory.

REASONCODES: TSS 0A4 (164)

7D9 (2009) TKE: ACI can not load both loads and profiles in one call.
7DA (2010) TKE: ACI can only load one role or one profile at a time.
7DB (2011) TKE: DH transport key algorithm match.
7DC (2012) The rule_array_count parameter contains a number that is not valid.

User action: Refer to the rule_array_count parameter described in this publication under the appropriate callable service for the correct value.

REASONCODES: TSS 023 (035)

7DD (2013) TKE: Length of hash pattern for keypart is not valid for DH transport key algorithm specified.
7DE (2014) TKE: PCB buffer is empty.
7DF (2015) An error occurred in the Domain Manager.
7E0 (2016) The rule_array parameter contents are incorrect. One or more of the rules specified are not valid for this service OR some of the rules specified together may not be combined.

User action: Refer to the rule_array parameter described in this publication under the appropriate callable service for the correct value.

7E2 (2018) The form parameter specified in the random number generate callable service should be ODD, EVEN, or RANDOM. One of these values was not supplied.

User action: Change your parameter to use one of the required values for the form parameter.

REASONCODES: TSS 021 (033)

7E3 (2019) TKE: Signature in request CPRB did not verify.
7E4 (2020) TKE: TSN in request CPRB is not valid.
7E8 (2024) A reserved field in a parameter, probably a key identifier, has a value other than zero.

User action: Key identifiers should not be changed by application programs for other uses. Review any processing you are performing on key identifiers and leave the reserved fields in them at zero.

7EB (2027) TKE: DH transport key hash pattern doesn't match.
7EC (2028)

While deciphering ciphertext that had been created using a padding technique, it was found that the last byte of the plaintext did not contain a valid count of pad characters. Note that all cryptographic processing has taken place, and the clear_text parameter contains the deciphered text.

When deciphering ciphertext that had been created using Galois/Counter Mode (GCM) either through PKCS #11 Secret key decrypt (CSFPSKD or CSFPSKD6) or Symmetric Key Decipher (CSNBSYD, CSNBSYD1, CSNESYD, or CSNESYD1), the GCM tag provided did not match the data provided. No cleartext was returned.

User action: The text_length parameter was not reduced. Therefore, it contains the length of the base message, plus the length of the padding bytes and the count byte. Review how the message was padded prior to it being enciphered. The count byte that is not valid was created prior to the message’s encipherment.

You may need to check whether the ciphertext was not created using a padding scheme. Otherwise, check with the creator of the ciphertext on the method used to create it. You could also look at the plaintext to review the padding scheme used, if any.

If using GCM, verify that the parameters provided (ciphertext, additional authenticated data, and tag) match those provided to, or returned from, the corresponding call to PKCS #11 Secret key encrypt (CSFPSKE or CSFPSKE6) or Symmetric Key Encipher (CSNBSYE, CSNBSYE1, CSNESYE, or CSNESYE1).

REASONCODES: TSS 2C2 (706)

7ED (2029) TKE: Request data block hash does not match hash in CPRB.
7EE (2030) TKE: DH supplied hash length is not correct.
7EF (2031) Reply data block too large.
7F0 (2032) The key_form, key_type_1, and key_type_2 parameters for the key generate callable service form a combination, a three-element string. This combination is checked against all valid combinations. Your combination was not found among this list.

User action: Check the allowable combinations described for each parameter in Key Generate callable service and correct the appropriate parameter(s).

7F1 (2033) TKE: Change type does not match PCB change type.
7F4 (2036) The contents of a chaining vector or the chaining data passed to a callable service are not valid. If you called the MAC generation callable service, or the MDC generation callable service with a MIDDLE or LAST segmenting rule, the count field has a number that is not valid. If you called the MAC verification callable service, then this will have been a MIDDLE or LAST segmenting rule. If you called the Symmetric Key Encipher, Symmetric Key Decipher, PKCS#11 Secret Key Encrypt or PKCS #11 Secret Key Decrypt, the chaining data passed is unusable, either because a CONTINUE or FINAL was not preceded by an INITIAL or CONTINUE, or because an attempt was made to continue chaining calls after a partial block has been processed.

User action: Check to ensure that the chaining vector or chaining data is not modified by your program. The chaining vector or chaining data returned by ICSF should only be used to process one message set, and not intermixed between alternating message sets. This means that if you receive and process two or more independent message streams, each should have its own chaining vector. Similarly, each message stream should have its own key identifier.

If you use the same chaining vector and key identifier for alternating message streams, you will not get the correct processing performed.

REASONCODES: TSS 0A5 (165)

7F6 (2038) No RSA private key information was provided in the supplied token.

User action: Check that the token supplied was of the correct type for the service.

7F8 (2040) This check is based on the first byte in the key identifier parameter. The key identifier provided is either an internal token, where an external or null token was required; or an external or null token, where an internal token was required. The token provided may be none of these, and, therefore, the parameter is not a key identifier at all. Another cause is specifying a key_type of IMP-PKA for a key in importable form.

User action: Check the type of key identifier required and review what you have provided. Also check that your parameters are in the required sequence.

REASONCODES: TSS 03F (063) and TSS 09A (154)

7FC (2044) The caller must be in task mode, not SRB mode.
800 (2048) The key_form is not valid for the key_type

User action: Review the key_form and key_type parameters. For a key_type of IMP-PKA, the secure key import callable service supports only a key_form of OP.

802 (2050) A UKPT keyword was specified, but there is an error in the PIN_profile key serial number.

User action: Correct the PIN profile key serial number.

803 (2051) Invalid message length in OAEP-decoded information.
804 (2052) A single-length key, passed to the secure key import callable service in the clear_key parameter, must be padded on the right with binary zeros. The fact that it is a single-length key is identified by the key_form parameter, which identifies the key as being DATA, MACGEN, MACVER, and so on.

User action: If you are providing a single-length key, pad the parameter on the right with zeros. Alternatively, if you meant to pass a double-length key, correct the key_form parameter to a valid double-length key type.

805 (2053) No message found in OAEP-decoded information.
806 (2054) Invalid RSA enciphered key cryptogram; OAEP optional encoding parameters failed validation.
807 (2055) The RSA public key is too small to encrypt the DES key.
808 (2056) The key_form parameter is neither IM nor OP. Most constants, these included, can be supplied in lower or uppercase. Note that this parameter is 4 bytes long, so the value IM or OP is not valid. They must be padded on the right with blanks.

User action: Review the value provided and change it to IM or OP, as required.

REASONCODES: TSS 029 (041)

80C (2060) The value specified for the key_length parameter of the key generate callable service is not valid.

User action: Review the value provided and change it as appropriate.

REASONCODES: TSS 02B (043)

810 (2064) The key_type and the key_length are not consistent.

User action: Review the key_type parameter provided and match it with the key_length parameter.

REASONCODES: TSS 0A0 (160)

811 (2065) A null key token was not specified for a key identifier parameter.

User action: Check the service description and determine which key identifier parameter must be a null token.

813 (2067) TKE: A key part register is in an invalid state. This includes the case where an attempt is made to load a FIRST key part, but a register already contains a key or key part with the same key name.

User action: Supply a different label name for the key part register or clear the existing key part register with the same label name.

814 (2068) You supplied a key identifier or token to the key generate, key import, multiple secure key import, key export, or CKDS key record write callable service. This key identifier holds an importer or exporter key, and the NOCV bit is on in the token. Only programs running in supervisor state or in a system key (key 0–7) may provide a key identifier with this bit set on. Your program was not running in supervisor state or a system key.

User action: Either use a different key identifier, or else run in supervisor state or a system key.

815 (2069) TKE: The control vector in the key part register does not match the control vector in the key structure.
816 (2070) TKE: All key part registers are already in use.

User action: Either free existing key part registers by loading keys from ICSF or clearing selected key part registers from TKE or select another PCIXCC, CEX2C, or CEX3C for loading the key part register.

817 (2071) TKE: The key part hash pattern supplied does not match the hash pattern of the key part currently in the register.
818 (2072) A request was made to the key generate callable service to generate double-length keys of SINGLE effective length, in the IMEX form. This request is valid only if the KEK_key_identifier_1 parameter identifies a NOCV importer, and the caller (wrongly) supplies a CV importer. The combination of IMEX for the key_form parameter and a CV importer key-encrypting key can only be used for single-length keys.

User action: Either use a key identifier that holds (or identifies) a NOCV importer, or specify a single-length key in the key_type parameter.

81B (2075) TKE: The length of the key part received is different from the length of the accumulated value already in the key part register.
81C (2076) A request was made to the key import callable service to import a single-length key. However, the right half of the key in the source_key_identifier parameter is not zeros. Therefore, it appears to identify the right half of a double-length key. This combination is not valid. This error does not occur if you are using the word TOKEN in the key_type parameter.

User action: Check that you specified the value in the key_type parameter correctly, and that you are using the correct or corresponding source_key_identifier parameter.

81D (2077) TKE: An error occurred storing or retrieving the key part register data.

User action: Verify that the selected PCIXCC, CEX2C, or CEX3C is functioning correctly and retry the operation.

81F (2079) An encrypted symmetric key token was passed to the service. Either an encrypted key token is not supported for this service (CSNDPKE) or the required hardware is not present (CSNBSYD and CSNBSYE).
824 (2084) The key token is not valid for the CSNBTCK service. If the source_key_identifier is an external token, then the KEK_key_identifier cannot be marked as CDMF.

User action: Correct the appropriate key identifiers.

828 (2088) The origin_identifier or destination_identifier you supplied is not a valid ASCII hexadecimal string.

User action: Check that you specified a valid ASCII string for the origin_identifier or destination_identifier parameter.

829 (2089) The algorithm does not match the algorithm of the key identifier.

User action: Make sure the rule_array keywords specified are valid for the type of key specified. Refer to the rule_array parameter described in this publication under the appropriate callable service for the valid values.

82C (2092) The source_key_identifier or inbound_key_identifier you supplied in an ANSI X9.17 service is not a valid ASCII hexadecimal string.

User action: Check that you specified a valid ASCII string for the source_key_identifier or inbound_key_identifier parameter.

REASONCODES: TSS 079 (121)

82D (2093) Key identifiers contain a version number. The version number in a supplied key identifier (internal or external) is inconsistent with one or more fields in the key identifier, making the key identifier unusable.

User action: Use a token containing the required version number.

82F (2095) The value in the key_form parameter is incompatible with the value in the key_type parameter.

User action: Ensure compatibility of the selected parameters.

830 (2096) The outbound_KEK_count or inbound_KEK_count you supplied is not a valid ASCII hexadecimal string.

User action: Check that you specified a valid ASCII hexadecimal string for the outbound_KEK_count or inbound_KEK_count parameter.

REASONCODES: TSS 07A (122)

831 (2097) The value in the key_identifier_length parameter is incompatible with the value in the key_type parameter.

User action: Ensure compatibility of the selected parameters.

832 (2098) Either a key bit length that was not valid was found in an AES key token (length not 128, 192, or 256 bits) or a version X'01' DES token had a token-marks field that was not valid.
833 (2099) Encrypted key length in an AES key token was not valid when an encrypted key is present in the token.
834 (2100) You supplied a pad_character that is not valid for a Transaction Security System compatibility parameter for which ICSF supports only one value; or, you supplied a KEY keyword and a non-zero master_key_version_number in the Key Token Build service; or, you supplied a non-zero regeneration data length for a DSS key in the PKA Generate service.

User action: Check that you specified the valid value for the TSS compatibility parameter.

REASONCODES: TSS 2CB (715)

838 (2104) An input character is not in the code table.

User action: Correct the code table or the source text.

REASONCODES: TSS 02D (045)

83C (2108) An unused field must be binary zeros, and an unused key identifier field generally must be zeros.

User action: Correct the parameter list.

REASONCODES: TSS 02F (047)

83F (2111) There is an inconsistency between the wrapping information in the key token and the request to wrap a key.
840 (2112) The length is incorrect for the key type.

User action: Check the key length parameter. DATA keys may have a length of 8, 16, or 24. DATAXLAT and MAC keys must have a length of 8. All other keys should have a length of 16. Also check that the parameters are in the required sequence.

841 (2113) A key token contains invalid payload.

User action: Recreate the key token.

844 (2116) Parameter contents or a parameter value is not correct.

User action: Specify a valid value for the parameter.

REASONCODES: TSS 021 (033)

846 (2118) Invalid value(s) in TR-31 key block header.

User action: Check the TR-31 key block header for correctness. Also check that the PADDING optional block is the last optional block in a set of optional blocks.

847 (2119) “Mode" value in the TR-31 header is invalid or is not acceptable in the chosen operation.

User action: Check the TR-31 key block header for correctness.

849 (2121) “Algorithm" value in the TR-31 header is invalid or is not acceptable in the chosen operation.

User action: Check the TR-31 key block header for correctness.

84A (2122) If importing a TR-31 key block, the exportability byte in the TR-31 header contains a value that is not supported. If exporting a TR-31 key block, the requested exportability is inconsistent with the key block. For example a ‘B' Key Block Version ID key can only be wrapped by a KEK that is wrapped in CBC mode, the ECB mode KEK violates ANSI X9.24.

User action: Check the TR-31 key block header for correctness.

84B (2123) The length of the cleartext key in the TR-31 block is invalid, for example the algorithm is “D" for single-DES but the key length is not 64 bits.

User action: Check that the values in the TR-31 header are consistent with the key fields.

84D (2125) The Key Block Version ID in the TR-31 header contains an invalid value.

User action: Check the TR-31 key block header for correctness.

84E (2126) The key usage field in the TR-31 header contains a value that is not supported for import of the key into CCA.

User action: Check the TR-31 key block header for correctness.

84F (2127) The key usage field in the TR-31 header contains a value that is not valid with the other parameters in the header.

User action: Check the TR-31 key block header for correctness

851 (2129) A parameter to a TR-31 service such as a TR-31 key block, a set of optional blocks, or a single optional block contains invalid characters. It may be that the parameter contains EBCDIC characters when ASCII is expected or vice-versa, or the wrong characters were found in a field which only accepts a limited range of characters. For example some length fields can be populated by characters '0' - '9' and 'A' - 'F', while other length fields can only contain characters '0' - '9'.

User action: Check the TR-31 parameters for correctness

852 (2130) The CV carried in the TR-31 key block optional blocks is inconsistent with other attributes of the key

User action: Check the TR-31 key block header for correctness.

853 (2131) The MAC validate step failed for a parameter. This may result from tampering, corruption, or attempting to use a different key to validate the MAC from the one used to generate it.

User action: Check each parameter which includes a MAC for correctness. If the parameter is wrapped by a key-encrypting-key (KEK), ensure that the correct KEK is supplied.

856 (2134) The requested PIN decimalization table does not exist or no PIN decimalization tables have been stored in the coprocessor.
857 (2135) The supplied PIN decimalization table is not in the list of active tables stored in the coprocessor.
85E (2142) This code can be generated for the following reasons:
  • On a call to Key Generate2, either or both of the key usage fields for generated_key_identifier_1 and generated_key_identifier_2 contain incorrect values or are in conflict. See Table 40 for the valid combinations.
  • On a call to Key Translate2 using the REFORMAT Encipherment rule and providing a variable-length AES token, the key usage fields for input_key_token contain disallowed values or prohibit the operation.
User action: Call Key Generate2 or Key Translate2 using key tokens whose key usage fields contain a valid combination.
85F (2143) On a call to Key Translate2 using the REFORMAT Encipherment rule and providing a variable-length AES token, the key management fields for input_key_token contain disallowed values or prohibit the operation.

User action: Call Key Translate2 using a key token whose key-management fields contain allowed values.

861 (2145)

When exporting a key under an AES KEK, it was found that the KEK was weaker than the key being wrapped. This operation is disallowed because the “Variable-length Symmetric Token - disallow weak wrap" access control point is enabled.

User action: If weak key wrapping is to be allowed, disable access control point "Variable-length Symmetric Token - disallow weak wrap" using the TKE workstation.

863 (2147) The key type that was to be generated by this callable service is not valid.

User action: Refer to the parameters described in this publication under the appropriate callable service for the correct parameter values.

865 (2149) The key that was to be generated by this callable service is stronger than the input material.

User action: Validate the key material is is at least as strong as the key to be generated.

86A (2154) At least one key token passed to this callable service does not have the required key type for the specified function.

User action: Refer to the parameters described in this publication under the appropriate callable service for the correct parameter values.

86E (2156) Multiple ECC tokens were passed to this callable service. The curve types of the all the token parameters do not match.

User action: Check that the curve types of the input ECC tokens are the same.

871 (2161) The requested or default wrapping method conflicts with one or both input tokens.

User action: On the call to the CVV Key Combine service, make sure that the desired wrapping method (either specified as a rule_array keyword or the default wrapping method) is consistent with the wrapping method of the input token(s). For example, an input token that can only be wrapped in the enhanced method (ENH-ONLY flag on in the CV) cannot produce an output token wrapped in the original method (ECB mode).

BB9 (3001) SET block decompose service was called with an encrypted OAEP block with a block contents identifier that indicates a PIN block is present. No PIN encrypting key was supplied to process the PIN block. The block contents identifier is returned in the block_contents_identifier parameter.

User action: Supply a PIN encrypting key and resubmit the job.

BBB (3003) An output parameter is too short to hold the output of the request. The length parameter for the output parameter has been updated with the required length for the request.

User action: Update the size of the output parameter and length specified in the length field and resubmit the request.

BBC (3004) A request was made to the Clear PIN generate or Encrypted PIN verify callable service, and the PIN_length parameter has a value outside the valid range. The valid range is from 4 to 16, inclusive.

User action: Correct the value in the PIN_length parameter to be within the valid range from 4 to 16.

REASONCODES: TSS 064 (100)

BBE (3006) The UDX verb in the PCICC, PCIXCC, CEX2C, or CEX3C is not authorized to be executed.
BC0 (3008) A request was made to the Clear PIN generate callable service, and the PIN_check_length parameter has a value outside the valid range. The valid range is from 4 to 16, inclusive.

User action: Correct the value in the PIN_check_length parameter to be within the valid range from 4 to 16.

REASONCODES: TSS 065 (101)

BC1 (3009) For PKCS #11 attribute processing, an attribute has been specified in the template that is not consistent with another attribute of the object being created or updated.

User action: Correct the template for the object.

BC3 (3011) The CRT value (p, q, Dp, Dq or U) is longer than the length allowed by the parameter block for clear key processing on an accelerator. A modulus whose length is less than or equal to 1024 bits is 64 bytes in length. A modulus whose length is greater than 1024 bits but less than or equal to 2048 bits is 128 bytes in length.

User action: Reconfigure CEX2A as a CEX2C or CEX3A as a CEX3C to make use of the key (if the CRT value is not in error and there is no CEX2C or CEX3C installed).

REASONCODES: TSS 065 (101)

BC4 (3012) A request was made to the Clear PIN generate callable service to generate a VISA-PVV PIN, and the trans_sec_parm field has a value outside the valid range. The field being checked in the trans_sec_parm is the key index, in the 12th byte. This trans_sec_parm field is part of the data_array parameter.

User action: Correct the value in the key index, held within the trans_sec_parm field in the data_array parameter, to hold a number from the valid range.

REASONCODES: TSS 069 (105)

BC5 (3013) The AES clear key value LRC in the token failed validation.

User action: Correct the AES clear key value.

REASONCODES: TSS 06A (106)

BC8 (3016) A request was made to the Encrypted PIN Translate or the Encrypted PIN verify callable service, and the PIN block value or PADDIGIT value in the input_PIN_profile or output_PIN_profile parameter has a value that is not valid.

User action: Correct the PIN block value.

REASONCODES: TSS 06A (106)

BCB (3019) The call to insert or delete a z/OS PKCS #11 token object failed because the token was not found in the TKDS data space or a request to delete a PKCS #11 session object failed because the token was not found in the session data space.
BCC (3020) For a PKCS #11 callable service, the PKCS #11 object specified is the incorrect class for the request.

User action: Specify the correct class of object for the service.

BCD (3021) The call to add a z/OS PKCS #11 token failed because the token already exists in the TKDS data space or a request to add a z/OS PKCS #11 token object failed because an object with the same handle already exists.
BCE (3022) The call to add or update a z/OS PKCS #11 tokens object failed because the supplied attributes are too large to be stored in the TKDS.
BD0 (3024) A request was made to the Encrypted PIN Translate callable service and the format control value in the input_PIN_profile or output_PIN_profile parameter has a value that is not valid. The valid values are NONE or PBVC.

User action: Correct the format control value to either NONE or PBVC.

REASONCODES: TSS 06B (107)

BD1 (3025) The call to create a list of z/OS PKCS #11 tokens, a list of objects of a z/OS PKCS #11 token, the information for a z/OS PKCS #11 token or the attributes of a PKCS #11 object failed because the length of the output field was insufficient to hold the data. The length field has been updated with the length of a single list or entry, token information or object attributes.
BD2 (3026) The z/OS PKCS #11 token or object handle syntax is invalid.
BD3 (3027) The call to read or update a z/OS PKCS #11 token or token object failed because the token or object was not found in the TKDS data space, or if the call to read or update a PKCS #11 session object failed because the object was not found.
BD4 (3028) A request was made to the Clear PIN generate callable service. The clear_PIN supplied as part of the data_array parameter for an GBP-PINO request begins with a zero (0). This value is not valid.

User action: Correct the clear_PIN value.

REASONCODES: TSS 074 (116)

BD5 (3029) For PKCS #11 attribute processing, an invalid attribute was specified in the template. The attribute is neither a PKCS #11 or vendor-specified attribute supported by this implementation of PKCS #11.

User action: Correct the template by removing the invalid attribute or changing the attribute to a valid attribute.

BD6 (3030) An invalid value was specified for a particular PKCS #11 attribute in a template when creating or updating an object.
BD7 (3031) The certificate specified in creating a PKCS #11 certificate object was not properly encoded.
BD9 (3033) The attribute template for creating or updating a PKCS #11 object was incomplete. Required attributes for the object class were not specified in the template.
BDA (3034) The call to modify PKCS #11 object attributes failed because the CKA_MODIFIABLE attribute was set to false when the object was recreated.
BDB (3035) For PKCS #11 attribute processing, an attribute was specified in the template which can not be set or updated by the application. See z/OS Cryptographic Services ICSF Writing PKCS #11 Applications for a definition of attributes that can be set or updated by the application.

User action: Remove the offending attribute from the template.

BDC (3036) A request was made to the Encrypted PIN Translate callable service. The sequence_number parameter was required, but was not the integer value 99999.

User action: Specify the integer value 99999.

REASONCODES: TSS 06F (111)

BDE (3038) For a PKCS #11 callable service, the attributes of the PKCS #11 object specified do not permit the requested function.

User action: Specify an object that permits the requested function.

BDF (3039) For a PKCS #11 callable service, where a PKCS #11 key object is required, the specified object is not of the correct key type for the requested function.

User action: Specify an object that is the correct class of key.

BE0 (3040) The PAN, expiration date, service code, decimalization table data, validation data, or pad data is not numeric (X'F0' through X'F9'). The parameter must be character representations of numerics or hexadecimal data.

User action: Review the numeric parameters or fields required in the service that you called and change to the format and values required.

REASONCODES: TSS 028 (040), TSS 02A (042), TSS 066 (102), TSS 067 (103), TSS 068 (104), TSS 069 (105), TSS 06E (110)

BE1 (3041) PKCS #11 wrap key callable service failed because the wrapping key object is not of the correct class to wrap the key specified to be wrapped.

User action: Specify a wrapping key object of the correct class to wrap the key object.

BE3 (3043) PKCS #11 wrap key callable service failed because the key object to be wrapped does not exist or the key class does not match the wrapping mechanism.

User action: Specify an existing key object that is correct for the wrapping mechanism.

BE4 (3044) A PKCS #11 session data space is full. The request to create or update an object failed and the object was not created or updated.

User action: Delete unused session objects and cryptographic state objects from incomplete chained operations to create space for new or updated objects.

BE5 (3045) PKCS #11 wrap key callable service failed because the key object to be wrapped has CKA_EXTRACTABLE set to false.

User action: Specify another key object that can be extracted.

BE7 (3047) A clear key was provided when a secure key was required.

User action: Correct the appropriate key identifier.

BEA (3050) A caller is attempting to overwrite one token type with another (for example, AES over DES).
BEC (3052) A clear key token was supplied to a service where a secure token is required.
BED (3053) A service was called with no parameter list, but a parameter list was expected.

User action: Call the service with a parameter list.

BEE (3054) A request was made to a callable service with a key token wrapped with the enhanced X9.24 CBC method. Tokens wrapped with the enhanced method are not supported by this release of ICSF.

User action: Contact your ICSF administrator to resolve which key token is to be used.

BF5 (3061) The provided asymmetric key identifier can not be used for the requested function. PKA Key Management Extensions have been enabled by a CSF.PKAEXTNS.ENABLE profile in the XFACILIT class. A CSFKEYS profile covering the key includes an ICSF segment, and the ASYMUSAGE field of that segment restricts the key from being used for the specified function.

An SMF type 82 subtype 27 record is logged in the SMF database.

BF6 (3062) The provided symmetric key identifier can not be exported using the provided asymmetric key identifier. PKA Key Management Extensions have been enabled by a CSF.PKAEXTNS.ENABLE profile in the XFACILIT class. A CSFKEYS or XCSFKEY profile covering the symmetric key includes an ICSF segment and the SYMEXPORTABLE field of that segment places restrictions on how the key can be exported. The SYMEXPORTABLE field either specifies BYNONE, or else specifies BYLIST but the provided asymmetric key identifier is not one of those permitted to export the symmetric key (as identified by the SYMEXPORTCERTS or SYMEXPORTKEYS fields).

An SMF type 82 subtype 27 record is logged to the SMF database.

BF7 (3063) ICSF key store policy checking is active. The request failed the ICSF token policy check because the caller is not authorized to the label for the token in the key data set (CKDS or PKDS). The request is not allowed to continue because the token check policy is in FAIL mode.

SMF type 82 subtype 25 records are logged in the SMF dataset. An SMF type 80 with event code qualifier of ACCESS is logged.

The policy is defined by the CSF.CKDS.TOKEN.CHECK.LABEL.FAIL resource or the CSF.PKDS.TOKEN.CHECK.LABEL.FAIL resource in the XFACILIT class.

BF8 (3064) ICSF key store policy checking is active. The specified token does not exist in the key data set (CKDS or PKDS as appropriate). The CSF-CKDS-DEFAULT or CSF-PKDS-DEFAULT resource in the CSFKEYS class is either not defined or the caller is not authorized to the CSF-CKDS-DEFAULT or CSF-PKDS-DEFAULT resource. The resource is not in WARNING mode, so the request is not allowed to continue.

An SMF type 80 record with event qualifier ACCESS is logged indicating the request failed.

The policy is defined by the CSF.CKDS.TOKEN.CHECK.DEFAULT.LABEL or the CSF.PKDS.TOKEN.CHECK.DEFAULT.LABEL resource in the XFACILIT class.

BF9 (3065) ICSF token policy checking is active. The caller is requesting to add a token to the key data set (CKDS or PKDS as appropriate) that already exists within the key data set. The request fails.

The policy is defined by the CSF.CKDS.TOKEN.NODUPLICATES resource or the CSF.PKDS.TOKEN.NODUPLICATES resource in the XFACILIT class.

BFB (3067) The provided symmetric key label refers to an encrypted CCA key token, and the CSFKEYS profile covering it does not allow its use in high performance encrypted key operations.

User action: Contact your ICSF or RACF administrator if you need to use this key in calls to Symmetric Key Encipher (CSNBSYE) or Symmetric Key Decipher (CSNBSYD). Otherwise, use Encipher (CSNBENC) or Decipher (CSNBDEC) instead.

BFC (3068) A cryptographic operation using a specific PKCS #11 key object is being requested. The key object has exceeded its useful life for the operation requested. The request is not processed.

User action: Use a different key.

BFD (3069) A cryptographic operation that requires FIPS 140-2 compliance is being requested. Either ICSF has not been configured to run in FIPS mode or the system environment does not support it. The request is not processed.

User action: Contact your ICSF administrator to request that ICSF be configured for either FIPS standard mode or FIPS compatibility mode.

BFE (3070) A cryptographic operation that requires FIPS 140-2 compliance is being requested. The desired algorithm, mode, or key size is not approved for FIPS 140-2. The request is not processed.

User action: Repeat the request using an algorithm, mode, and/or key size approved for FIPS 140-2. Refer to z/OS Cryptographic Services ICSF Writing PKCS #11 Applications for this list of approved algorithms, modes, and key sizes.

BFF (3071) An application using a z/OS PKCS #11 token that is marked ‘Write Protected' is attempting to do one of the following:
  • Store a persistent object in the token.
  • Delete the token.
  • Reinitialize the token.
ICSF always marks the session object only omnipresent token as ‘Write Protected.' ICSF will also mark an ordinary token ‘Write Protected' if it contains objects not supported by this release of ICSF.

User action: Use a z/OS PKCS #11 token that is not marked ‘Read Only' or, if this is an ordinary token (not the omnipresent token), attempt the delete or reinitialization from a different member of the sysplex.

C04 (3076) A symmetric key token was supplied in a key identifier parameter which is wrapped using the enhanced X9.24 key wrapping method. The token can not be rewrapped to the original method because the wrapping flag in the control vector prohibits this wrapping.
C07 (3079) A request was made to use a key token wrapped with the X9.24 enhanced wrapping method introduced in HCR7780. Key tokens wrapped with the enhanced method can not be used on this release. Also, key tokens wrapped with the enhanced method can not be updated or deleted from the CKDS on this release.

User Action: Run your application on a release that support the enhanced wrapping method.

C08 (3080) Use of an ECC token has been attempted. The usage of this type of token is not supported on the release of ICSF currently running.

User Action: Check the ICSF release for support of this token type.

C0B (3083) The specified key token buffer length is of insufficient size for the buffer to contain the output key token.

User action: Specify a key token buffer that is sufficiently large enough to receive the output key token.

C0C (3084) The key token associated with the specified key label is not a DES or AES key token, but this callable service is only compatible with DES and AES key tokens.

User action: Either modify the program logic to utilize only key labels for DES and/or AES key tokens, or use an ICSF callable service that supports all of the symmetric key token types.

C0D (3085) Rule array keyword specifies a function not supported by this hardware. For example, ECC specified in rule array for PKA Key Token Change callable service but request is being executed on a system that does not support ECC keys.

User Action: Specify a different, supported, rule array keyword, or execute the service on a system that supports the function.

C0E (3086) Specified token is not supported by this hardware. For example, an ECC token is being used but request is being executed on a system that does not support ECC keys.

User Action: Specify a different, supported, token, or execute the request on a system that supports the function.

C0F (3087) A coordinated KDS refresh was attempted to an empty KDS. The new KDS of a coordinated KDS refresh must be initialized and must contain the same MKVP values as the active KDS.

User action: Perform a coordinated KDS refresh using a new KDS that is initialized and that contains the same MKVP values as the active KDS.

C10 (3088) A coordinated KDS change master key was attempted and either the new KDS or backup KDS contained a different LRECL attribute from the active KDS. The new KDS and optionally the backup KDS must contain the same LRECL attribute as the active KDS during a coordinate KDS change master key.

User action: Perform a coordinated KDS change master key using a new KDS and optionally a backup KDS with the same LRECL attribute as the active KDS.

C11 (3089) The new KDS specified for a coordinated KDS change master key was not empty when the operation began. The new KDS must be empty before performing a coordinated KDS change master key.

User action: Perform the coordinated KDS change master key with a new KDS that is empty.

C12 (3090) The backup KDS specified for a coordinated KDS change master key was not empty when the operation began. When using the optional backup function, the backup KDS must be empty before performing a coordinated KDS change master key.

User action: Perform the coordinated KDS change master key with a backup KDS that is empty.

C13 (3091) The new KDS specified for a coordinated KDS refresh contains different MKVPs than the active KDS. In order to perform a coordinated KDS refresh, the new KDS specified must contain the same MKVPs as the active KDS.

User action: Perform the coordinated KDS refresh with a new KDS that contains the same MKVPs as the active KDS.

C1F (3103) The new KDS specified for either a coordinated KDS refresh or coordinated KDS change master key is not a valid data set name.

User action: Specify a valid data set name for the new KDS when performing either a coordinated KDS refresh or coordinated KDS change master key.

C20 (3104) The backup KDS specified for a coordinated KDS change master key is not a valid data set name.

User action: Specify a valid data set name for the backup KDS when performing a coordinated KDS change master key.

C21 (3105) A coordinated KDS refresh or coordinated KDS change master key was attempted while at least one ICSF instance in the sysplex was below the HCR7790 FMID level. The coordinated KDS refresh and coordinated KDS change master key functions are only available when all ICSF instances in the sysplex, regardless of active KDS, are running at the HCR7790 FMID level or higher.

User action: Remove or upgrade ICSF instances in the sysplex that are running below the HCR7790 FMID level and retry the function.

C22 (3106) Either a coordinated KDS refresh or coordinated KDS change master key was attempted while another coordinated KDS refresh or coordinated KDS change master key was still in progress. The coordinated KDS function was initiated by this ICSF instance. Only one coordinated KDS function may execute at a time in the sysplex.

User action: Wait for the previous coordinated KDS function to complete and retry the function.

C23 (3107) A coordinated KDS change master key was attempted using a new KDS with the same name as the active KDS. The new KDS name must be different from the active KDS when performing a coordinated KDS change master key.

User action: Specify a new KDS with a different name from the active KDS and retry the function. Coordinated KDS change master key requires the new KDS to be allocated and match the same VSAM attributes as the active KDS.

C24 (3108) A coordinated KDS change master key was attempted using a backup KDS with the same name as the active KDS. When using the backup function, the backup KDS name must be different from the active KDS when performing a coordinated KDS change master key.

User action: Specify a backup KDS with a different name from the active KDS and retry the function. Coordinated KDS change master key requires the backup KDS to be allocated and match the same VSAM attributes as the active KDS.

C25 (3109) A coordinated KDS change master key was attempted using a new KDS with the same name as the backup KDS. If a backup KDS is specified, its name must be different from the new KDS.

User action: Specify a backup KDS with a different name from the new KDS and retry the function. The backup KDS is optional. Coordinated KDS change master key requires the new KDS, and optionally the backup KDS, to be allocated and match the same VSAM attributes as the active KDS.

C26 (3110) A coordinated KDS refresh or coordinated KDS change master key was attempted using an archive KDS name that is not valid.

User action: Specify a valid data set name for the archive KDS and retry the function. The archive data set name is optional. The optional archive KDS name must not exist on the system prior to performing a coordinated KDS refresh or a coordinated KDS change master key.

C27 (3111) A coordinated KDS change master key was attempted using an archive KDS with the same name as the backup KDS. When using the archive and backup functions, the archive KDS name must be different from the backup KDS.

User action: Specify an archive KDS with a different name from the backup KDS and retry the function. The archive KDS name and the backup KDS are optional. The archive KDS name must not exist on the system prior to performing a coordinated KDS refresh or a coordinated KDS change master key. The backup KDS must be allocated and match the same VSAM attributes as the active KDS.

C28 (3112) A coordinated KDS refresh or a coordinated KDS change master key was attempted using an archive KDS with the same name as the active KDS. When using the archive function, the archive KDS name must be different from the active KDS.

User action: Specify an archive KDS with a different name from the active KDS and retry the function. The archive KDS name must not exist on the system prior to performing a coordinated KDS refresh or a coordinated KDS change master key.

C29 (3113) A coordinated KDS refresh or a coordinated KDS change master key was attempted using an archive KDS with the same name as the new KDS. When using the archive function, the archive KDS name must be different from the new KDS.

User action: Specify an archive KDS with a different name than the new KDS and retry the function. The archive KDS name must not exist on the system prior to performing a coordinated KDS refresh or a coordinated KDS change master key.

C2A (3114) Either a coordinated KDS refresh or coordinated KDS change master key was attempted while another coordinated KDS refresh or coordinated KDS change master key was still in progress. The coordinated KDS function was initiated by another ICSF instance in the sysplex. Only one coordinated KDS function may execute at a time in the sysplex.

User action: Wait for the previous coordinated KDS function to complete and retry the function.

C30 (3120) A coordinated KDS change master key was attempted on an active KDS that was not initialized. The active KDS must be initialized before performing a coordinated KDS change master key.

User action: Initialize the active KDS and retry the function

C31 (3121) The archive option was specified for a coordinated KDS refresh of the active KDS. The archive option is only valid for coordinated KDS refreshes to a new KDS or coordinated KDS change master key.

User action: Do not specify an archive data set when performing a coordinated KDS refresh of the active KDS.

C3C (3132) The archive data set name specified for coordinated KDS refresh or coordinated KDS change master key is too long. The archive data set name must allow enough space for renaming the KDS VSAM data and index portions within 44 characters.

User action: Specify a shorter name for the archive data set name to allow enough space for renaming the KDS VSAM data and index portions within 44 characters. The archive data set name is optional. When specified, the archive data set name must not exist on the system prior to performing the coordinated KDS function.

C3D (3133) During a coordinated KDS refresh or coordinated KDS change master key with the archive option specified, the active KDS could not be renamed to the archive data set name. This failure occurred because the active KDS VSAM data and index suffix names were not valid for performing the rename.

User action: Consider alternate names for the active KDS VSAM data and index suffixes. The archive data set name is optional. When specified the archive data set name must not exist on the system prior to performing the coordinated KDS function.

C3E (3134) A coordinated KDS change master key attempted to use a new KDS that is currently another sysplex members active KDS. Performing a coordinated KDS change master key to another sysplex members active KDS is not allowed as it would alter all sysplex members configured in that sysplex KDS cluster (same active KDS).

User action: Specify a new KDS that is not currently the active KDS of another sysplex member and retry the function.

F9F (3999) On a call to CKDS Key Record Delete or CKDS Key Record Write2, the label refers to a Variable-length Symmetric key token with an unrecognized algorithm or key type in the associated data section. Only key tokens with a recognized algorithm or key type can be managed on this release of ICSF.

User action: Call CKDS Key Record Delete or CKDS Key Record Write2 on a release of ICSF which recognizes the algorithm and key type of this token.

FA0 (4000) The encipher and decipher callable services sometime require text (plaintext or ciphertext) to have a length that is an exact multiple of 8 bytes. Padding schemes always create ciphertext with a length that is an exact multiple of 8. If you want to decipher ciphertext that was produced by a padding scheme, and the text length is not an exact multiple of 8, then an error has occurred. The CBC mode of enciphering requires a text length that is an exact multiple of 8.

The ciphertext translate callable service cannot process ciphertext whose length is not an exact multiple of 8.

User action: Review the requirements of the service you are using. Either adjust the text you are processing or use another process rule.

REASONCODES: TSS 033 (051)

1388 (5000) Target cryptographic module is not available in the configuration.

User action: Correct the target cryptographic module parameter and resubmit.

138C (5004) Format of the cryptographic request message is not valid.

User action: Correct the request and resubmit it.

1390 (5008) Length of the cryptographic request message is not valid.

User action: Message length of request must be nonzero, a multiple of eight, and less than the system maximum. Correct the request and resubmit it.

1782 (6018) One or more of the parameters passed to this callable service are in error.

User action: Refer to the parameter descriptions in this publication under the appropriate callable service to ensure the parameter values specified by your application are valid.

2710 (10000) A key identifier was passed to a service or token. It is checked in detail to ensure that it is a valid token, and that the fields within it are valid values. There is a token validation value (TVV) in the token, which is a non-cryptographic value. This value was again computed from the rest of the token, and compared to the stored TVV. If these two values are not the same, this reason code is returned.

User action: The contents of the token have been altered because it was created by ICSF or TSS. Review your program to see how this could have been caused.

REASONCODES: TSS 0C (12) and 1D (29)

2714 (10004) A key identifier was passed to a service. The master key verification pattern in the token shows that the key was created with a master key that is neither the current master key nor the old master key. Therefore, it cannot be reenciphered to the current master key.

User action: Re-import the key from its importable form (if you have it in this form), or repeat the process you used to create the operational key form. If you cannot do one of these, you cannot repeat any previous cryptographic process that you performed with this token.

REASONCODES: TSS 030 (048)

271C (10012) A key label was supplied for a key identifier parameter. This label is the label of a key in the in-storage CKDS or the PKDS. Either the key could not be found, or a key record with that label and the specific type required by the ICSF callable service could not be found. For a retained key label, this error code is also returned if the key is not found in the PCICC, PCIXCC, CEX2C, or CEX3C specified in the PKDS record.

User action: Check with your administrator if you believe that this key should be in the in-storage CKDS or the PKDS. The administrator may be able to bring it into storage. If this key cannot be in storage, use a different label.

REASONCODES: TSS 01E (030)

2720 (10016) You specified a value for a key_type parameter that is not an ICSF-defined name.

User action: Review the ICSF key types and use the appropriate one.

REASONCODES: TSS 03D (061)

2724 (10020) You specified the word TOKEN for a key_type parameter, but the corresponding key identifier, which implies the key type to use, has a value that is not valid in the control vector field. Therefore, a valid key type cannot be determined.

User action: Review the value that you stored in the corresponding key identifier. Check that the value for key_type is obtained from the appropriate key_identifier parameter.

REASONCODES: TSS 027 (039)

272C (10028) Either the left half of the control vector in a key identifier (internal or external) equates to a key type that is not valid for the service you are using, or the value is not that of any ICSF control vector. For example, an exporter key-encrypting key is not valid in the key import callable service.

User action: Determine which key identifier is in error and use the key identifier that is required by the service.

REASONCODES: TSS 027 (039)

2730 (10032) Either the right half of the control vector in a key identifier (internal or external) equates to a key type that is not valid for the service you are using, or the value is not that of any ICSF control vector. For example, an exporter key-encrypting key is not valid in the key import callable service.

User action: Determine which key identifier is in error and use the key identifier that is required by the service.

REASONCODES: TSS 027 (039)

2734 (10036) Either the complete control vector (CV) in a key identifier (internal or external) equates to a key type that is not valid for the service you are using, or the value is not that of any ICSF control vector.

The difference between this and reason codes 10028 and 10032 is that each half of the control vector is valid, but as a combination, the whole is not valid. For example, the left half of the control vector may be the importer key-encrypting key and the right half may be the input PIN-encrypting (IPINENC) key.

User action: Determine which key identifier is in error and use the key identifier that is required by the service.

REASONCODES: TSS 027 (039)

2738 (10040) Key identifiers contain a version number. The version number in a supplied key identifier (internal or external) is inconsistent with one or more fields in the key identifier, making the key identifier unusable.

User action: Use a token containing the required version number.

REASONCODES: TSS 031 (049)

273C (10044) A cross-check of the control vector the key type implies has shown that it does not correspond with the control vector present in the supplied internal key identifier.

User action: Change either the key type or key identifier.

REASONCODES: TSS 0B7 (183)

2740 (10048) The key_type parameter does not contain one of the valid types for the service or the keyword TOKEN.

User action: Check the supplied parameter with the ICSF key types. If you supplied the keyword TOKEN, check that you have padded it on the right with blanks.

REASONCODES: TSS 03D (061)

2744 (10052) A null key identifier was supplied and the key_type parameter contained the word TOKEN. This combination of parameters is not valid.

User action: Use either a null key identifier or the word TOKEN, not both.

REASONCODES: TSS 027 (039)

2748 (10056) You called the key import callable service. The importer key-encrypting key is a NOCV importer and you specified TOKEN for the key_type parameter. This combination is not valid.

User action: Specify a value in the key_type parameter for the operational key form.

274C (10060) You called the key export callable service. A label was supplied in the key_identifier parameter for the key to be exported and the key_type was TOKEN. This combination is not valid because the service needs a key type in order to retrieve a key from the CKDS.

User action: Specify the type of key to be exported in the key_type parameter.

REASONCODES: TSS 03D (061)

2754 (10068) A flag in a key identifier indicates the master key verification pattern (MKVP) is not present in an internal key token. This setting is not valid.

User action: Use a token containing the required flag values.

REASONCODES: TSS 02F (047)

2758 (10072) A flag in a key identifier indicates the encrypted key is not present in an external token. This setting is not valid.

User action: Use a token containing the required flag values.

REASONCODES: TSS 02F (047)

275C (10076) A flag in a key identifier indicates the control vector is not present. This setting is not valid.

User action: Use a token containing the required flag values.

REASONCODES: TSS 02F (047)

2760 (10080) An ICSF private flag in a key identifier has been set to a value that is not valid.

User action: Use a token containing the required flag values. Do not modify ICSF or the reserved flags for your own use.

2768 (10088) If you supplied a label in the key_identifier parameter, a record with the supplied label was found in the CKDS, but the key type (CV) is not valid for the service. If you supplied an internal key token for the key_identifier parameter, it contained a key type that is not valid.

User action: Check with your ICSF administrator if you believe that this key should be in the in-storage CKDS. The administrator may be able to bring it into storage. If this key cannot be in storage, use a different label.

REASONCODES: TSS 027 (039)

276C (10092) You supplied a source key that does not have odd parity and specified ENFORCE as the parity rule on the rule_array parameter for either the ANSI X9.17 key export, ANSI X9.17 key import, or ANSI X9.17 key translate callable service.

User action: Either supply an ODD parity key or change the rule_array parameter to specify a parity rule of IGNORE.

2770 (10096) The transport key you specified is a single-length key, which cannot be used to encrypt a double-length AKEK or (*KK).

User action: Use a double-length AKEK for the transport key.

2774 (10100) You specified a transport key that cannot be notarized and specified the keyword NOTARIZE in the rule_array parameter. The transport key may have already been partially notarized.

User action: Use a transport key that allows notarization or change the rule_array parameter keyword to CPLT-NOT.

2778 (10104) The AKEK you specified is either partially notarized or is a partial AKEK, which is not valid for this service.

User action: Use a correct AKEK that is not partially notarized. A partially notarized key can be used as a transport key if you specify CPLT-NOT in the rule_array parameter.

277C (10108) You did not supply a partial AKEK for the key_identifier parameter of the key part import service.

User action: Correct the key_id parameter.

2780 (10112) The transport key you specified has not been partially notarized and you have specified CPTL-NOT for the rule_array parameter.

User action: Use a transport key that has been partially notarized or change the rule_array parameter.

2784 (10116) You attempted to export an AKEK with a CCA key export service, which is not supported.

User action: Use the ANSI X9.17 Key Export callable service.

2788 (10120) The internal key token you supplied, or the key token that was retrieved by the label you supplied, contains a flag setting or data encryption algorithm bit that is not valid for this service.

User action: Ensure that you supply a key token, or label, for a non-ANSI key type.

278C (10124) The key identifier you supplied cannot be exported because there is a prohibit-export restriction on the key.

User action: Use the correct key for the service.

REASONCODES: TSS 027 (039)

2790 (10128) The keyword you supplied in the rule_array parameter is not consistent or not valid with another parameter you specified. For example, the keyword SINGLE is not valid with the key type of EXPORTER in the key token build callable service.

User action: Correct either the rule_array parameter or the other parameter.

REASONCODES: TSS 09C (156)

2791 (10129) S390 KEKs with NOCV (flagged as such by the MASK_NOCV bit in the flags field of the token), are not permitted in the RKX service.
2AF8 (11000) The value specified for length parameter for a key token, key, or text field is not valid.

User action: Correct the appropriate length field parameter.

REASONCODES: TSS 048 (072)

2AFC (11004) The hash value (of the secret quantities) in the private key section of the internal token failed validation. The values in the token are corrupted. You cannot use this key.

User action: Recreate the token using the appropriate combination of the PKA key token build, PKA key generate, and PKA key import callable services.

REASONCODES: TSS 02F (047)

2B00 (11008) The public or private key values are not valid. (For example, the modulus or an exponent is zero.) You cannot use the key.

User action: You may need to recreate the token using the PKA key token build or PKA key import callable service or regenerate the key values on another platform.

REASONCODES: TSS 302 (770)

2B04 (11012) The internal or external private key token contains flags that are not valid.

User action: You may need to recreate the token using the PKA key token build or PKA key import callable service.

REASONCODES: TSS 02F (047)

2B08 (11016) The calculated hash of the public information in the PKA token does not match the hash in the private section of the token. The values in the token are corrupted.

User action: Verify the public key section and the key name section of the token. If the token is still rejected, then you need to recreate the token using the appropriate combination of the PKA key token build, PKA key generate, and PKA key import callable services.

REASONCODES: TSS 02F (047)

2B0C (11020) The hash pattern of the PKA master key (SMK or KMMK) in the supplied internal PKA private key token does not match the current system’s PKA master key. This indicates the system PKA master key has changed since the token was created. You cannot use the token.

User action: Recreate the token using the appropriate combination of the PKA key token build, PKA key generate, and PKA key import callable services.

REASONCODES: TSS 030 (048)

2B10 (11024) The PKA tokens have incomplete values, for example, a PKA public key token without modulus.

User action: Recreate the key.

REASONCODES: TSS 02F (047)

2B14 (11028) The modulus of the PKA key is too short for processing the hash or PKCS block.

User action: Either use a PKA key with a larger modulus size, use a hash algorithm that generates a smaller hash (digital signature services), or specify a shorter DATA key size (symmetric key export, symmetric key generate).

REASONCODES: TSS 048 (072)

2B18 (11032) The supplied private key can be used only for digital signature. Key management services are disallowed.

User action: Supply a key with key management enabled.

REASONCODES: TSS 040 (064)

2B20 (11040) The recovered encryption block was not a valid PKCS-1.2 or zero-pad format. (The format is verified according to the recovery method specified in the rule-array.) If the recovery method specified was PKCS-1.2, refer to PKCS-1.2 for the possible error in parsing the encryption block.

User action: Ensure that the parameters passed to CSNDSYI or CSNFSYI are correct. Possible causes for this error are incorrect values for the RSA private key or incorrect values in the RSA_enciphered_key parameter, which must be formatted according to PKCS-1.2 or zero-pad rules when created.

REASONCODES: TSS 42 (66)

2B24 (11044) The first section of a supplied PKA token was not a private or public key section.

User action: Recreate the key.

REASONCODES: TSS 0B5(181)

2B28 (11048) The eyecatcher on the PKA internal private token is not valid.

User action: Reimport the private token using the PKA key import callable service.

2B2C (11052) An incorrect PKA token was supplied. One of the following situations is possible:
  • The service requires a private key token of the correct type.
  • The supplied token may be of a type that is not supported on this system.

User action: Check that the supplied token is:

  • a PKA private key token of the correct type.
  • a type supported by this system.
2B30 (11056) The input PKA token contains length fields that are not valid.

User action: Recreate the key token.

2B38 (11064) The RSA-OAEP block did not verify when it decomposed. The block type is incorrect (must be X'03').

User action: Recreate the RSA-OAEP block.

REASONCODES: TSS 2CF (719)

2B3C (11068) The RSA-OAEP block did not verify when it decomposed. The verification code is not correct (must be all zeros).

User action: Recreate the RSA-OAEP block.

REASONCODES: TSS 2D1 (721)

2B40 (11072) The RSA-OAEP block did not verify when it decomposed. The random number I is not correct (must be non-zero with the high-order bit equal to zero).

User action: Recreate the RSA-OAEP block.

REASONCODES: TSS 2D0 (720)

2B48 (11080) The RSA public or private key specified a modulus length that is incorrect for this service.

User action: Re-invoke the service with an RSA key with the proper modulus length.

REASONCODES: See reason codes 41 (65) and 2F8 (760)

2B4C (11084) This service requires an RSA public key and the key identifier specified is not a public key.

User action: Re-invoke the service with an RSA public key.

2B50 (11088) This service requires an RSA private key that is for signature use only.

User action: Re-invoke the service with a supported private key.

2B54 (11092) There was an invalid subsection in the PKA token.

User action: Correct the PKA token.

2B58 (11096) This service requires an RSA private key that is for signature use. The specified key may be used for key management purposes only.

User action: Re-invoke the service with a supported private key.

REASONCODES: TSS 040 (064)

3E80 (16000) RACF failed your request to use this service.

User action: Contact your ICSF or RACF administrator if you need this service.

3E84 (16004) RACF failed your request to use the key label. This may be caused by either CSFKEYS or XCSFKEY class, depending on the setting of the Granular Keylabel Access Controls and the type of token provided.

User action: Contact your ICSF or RACF administrator if you need this key.

3E8C (16012) You requested the conversion service, but you are not running in an authorized state.

User action: You must be running in supervisor state to use the conversion service. Contact your ICSF administrator.

3E90 (16016) The input/output field contained a valid internal token with the NOCV bit on or encryption algorithm mark, but the key type was incorrect or did not match the type of the generated or imported key. Processing failed.

User action: Correct the calling application.

REASONCODES: TSS 027 (039)

3E94 (16020) You requested dynamic CKDS update services for a system key, which is not allowed.

User action: Correct the calling application.

REASONCODES: TSS 0B5 (181)

3E98 (16024) You called the CKDS key record write callable service, but the key token you supplied is not valid.

User action: Check with your ICSF administrator if you believe that this key should be in the in-storage CKDS. The administrator may be able to bring it into storage. If this key cannot be in storage, use a different label.

3EA0 (16032) Invalid syntax for CKDS or PKDS label name.

User action: Correct key_label syntax.

REASONCODES: TSS 020 (032)

3EA4 (16036) The CKDS key record create callable service requires that the key created not already exist in the CKDS or PKDS. A key of the same label was found.

User action: Make sure the application specifies the correct label. If the label is correct, contact your ICSF security administrator or system programmer.

REASONCODES: TSS 02C (044)

3EA8 (16040) Data in the PKDS record did not match the expected data. This occurs if the record does not contain a null PKA token and CHECK was specified.

User action: If the record is to be overwritten regardless of its content, specify OVERLAY.

3EAC (16044) One or more key labels specified as input to the PKA key generate or PKA key import service incorrectly refer to a retained private key. If generating a retained private key, this error may result from one of these conditions:
  • The private key name of the retained private key being generated is the same as an existing PKDS record, but the PKDS record label was not specified as the input skeleton (source) key identifier.
  • The label specified in the generated_key_token parameter as the target for the retained private key was not the same as the private key name

If generating or importing a non-retained key, this error occurs when the label specified as the target key specifies a retained private key. The retained private key cannot be over-written.

User action: Make sure the application specifies the correct label. If the label is correct, contact your ICSF security administrator or system programmer.

3EB0 (16048) Retained keys on the PKDS cannot be deleted or updated using the PKDS key record delete or PKDS key record write callable services, respectively.

User action: Use the retained key delete callable service to delete retained keys.

Reason code 0, return code 308 (776) RACF failed your request to use this service.

User action: Contact your ICSF or RACF administrator if you need this service.

Reason code 1, return code 308 (776) RACF failed your request to use the key label.

User action: Contact your ICSF or RACF administrator if you need this key.

06E (110)-PAN, 028 (040)-ser. code, 02A (042)-exp. date, 066 (102)-dec table, 067 (103)-val. table, 06C (198)-pad data The PAN, expiration date, service code, decimalization table data, validation data, or pad data is not numeric (X'F0' through X'F9'). The parameter must be character representations of numerics or hexadecimal data.

User action: Review the numeric parameters or fields required in the service that you called and change to the format and values required.

Go to the previous page Go to the next page




Copyright IBM Corporation 1990, 2014